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REMARKS 

This Application has been carefully reviewed in light of the Final Office Action 
mailed September 30, 2003. In order to advance prosecution of this case, Applicant presents 
the following arguments. Applicant respectfully requests reconsideration and favorable 
action in this case. 

Section 112 Rejections 

The Examiner rejects Claims 1, 7, 13-14, and 20 under 35 U.S.C. § 112, first 
paragraph, as failing to comply with the written description requirement in that the claims 
contain subject matter which was not described in the specification in such a way as to 
reasonably convey to one skilled in the relevant art that the inventor, at the time the 
application was filed, had possession of the claimed invention. Applicant respectfully 
traverses this rejection, and respectfully submits that the claims comply with the written 
description requirement under 35 U.S.C. § 112, first paragraph. Applicants submits the 
following portions of the description that support the particular claim language: 

1) "at a binary state machine prior to being buffered at a first network device" : As 
noted on p. 8, lines 20-22, "the network traffic accessing firewall 18 and attempting to access 
firewall 18 form an input stream to intrusion detection system 30," which includes state 
machine 32. As depicted in Figure 1, firewall 18 is interposed before network devices in 
protected network 12 and passes traffic to protected network 12. Since intrusion detection 
system 30 receives input stream 29 from firewall 18 before it has reached protected network 
12, input stream 29 arrives "at a binary state machine prior to being buffered at a first 
network device." 

2) "storing a copy of the input stream at a network interface disposed between the 
first network device and the second network device" : As noted, "the network traffic 
accessing firewall 18 and attempting to access firewall 18 form an input stream 29 to 
intrusion detection system 30" (p. 8, lines 20-22). The network traffic stored and handled by 
firewall 18 is thus a copy of input stream 29 sent to intrusion detection system 30. 

3) "discarding the first character before selecting a next character of the input 
stream" : As noted on p. 9, lines 21-25, "[a]fter the new state is determined based upon that 
character and the current state is determined, there is no longer a need to buffer that 
character." Furthermore, discarding a character from the buffer after it is processed 
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"eliminates the drain upon processor and memory resources taken up by buffer 
manipulation." 

4) "transmitting the copy of the first input stream to the first network device if an 
attack on the computer is not detected" : As noted above, the network traffic handled by 
firewall 18 is a copy of input stream 29 to intrusion detection device 30. Firewall 18, as part 
of its role as gate keeper to protected network 12, can interrupt or transmit traffic to network 
devices as part of "preventing unauthorized user on unprotected network 14 to interfere with 
the operation of protected network 12" (p. 7, lines 18-21), such as when an attack is detected. 
Furthermore, the specification specifically describes countermeasures for attacks, such as 
resetting a connection, that interrupt transmission of network traffic (p. 10, lines 26-28). 
Thus, the specification describes "transmitting the copy of the first input stream to the first 
network device if an attack on the computer is not detected". 

For at least these reasons, Applicant respectfully submits that there is adequate written 
description for the cited language of the claims. Reconsideration and favorable action is 
requested. If the Examiner disagrees with Applicant's arguments, Applicant reminds the 
Examiner that he has the burden to prove that Applicant's asserted justification is inadequate. 
Per MPEP § 2163-III(A), "a description as filed is presumed to be adequate unless or until 
sufficient evidence or reasoning to the contrary has been presented by the Examiner to rebut 
the presumption." See, e.g., In re Marzocchi, 439 F.2d 220, 224, 169 USPQ 367, 370 (CCPA 
1971). The Examiner has the "burden of presenting by a preponderance of the evidence why 
a person skilled in the art would not recognize in an applicant's disclosure a description of the 
invention defined by the claims." MPEP § 2163-III(A). See also In re Wertheim, 541 F.2d 
257, 191 USPQ 90 (CCPA 1976). 
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Section 102 Rejections 

The Examiner rejects Claims 1-5, 7-18, and 20 under 35 U.S.C. § 102(e) as being 
anticipated by U.S. Patent No. 5,319,776 issued to Hile et al. ("Hile"). Applicant respectfully 
submits that the cited reference does not describe, expressly or inherently, each and every 
limitation of the rejected claims. In particular, among other deficiencies, Hile does not 
describe "receiving an input stream at a binary state machine prior to being buffered at a first 
network device" or "transmitting the copy of the input stream to the first network device if an 
attack on the computer network is not detected" (recited in Claim 1, and analogous language 
is found in Claims 7, 13, and 14). Hile teaches buffering an input stream at buffer 30 before 
the input stream is scanned by state machine 32. The input stream is subsequently stored in 
buffer 38 before being stored in destination medium 24b. 

The Examiner asserts that this shows the recited "receiving an input stream ... prior to 
being buffered at a first network device." But contrary to the Examiner's assertion, buffer 30 
is part of the same network device as buffer 38 and destination 24b, namely, computer system 
14. All of the components of computer system 14 are controlled by a common CPU 18a and 
are coupled to a network (telecommunication link 26) by a single modem 28, and it is not 
shown or disclosed in Hile that components of computer system 14 may act as separate 
network devices. Thus, the computer system 14 of Hile acts as a single network device. 
Consequently, buffering the input stream in buffer 30 is actually buffering the input stream at 
a first network device, and thus, the step that the Examiner proposes is not performed "prior 
to being buffered at a first network device." Furthermore, the recited transmitting step "to the 
first network device" is never shown, because the input stream is already at state machine 32, 
which is part of the same network device as buffer 38 and destination 24b. Thus, the claims 
are patentably distinct from the cited references. And as noted in the specification of the 
present application at p. 5, lines 14-19, this distinction may provide technical advantages in 
certain embodiments, such as eliminating difficulties associated with an attack crossing the 
buffer boundary. 

For at least these reasons, Hile does not anticipate Claim 1 , and for analogous reasons, 
Hile does not anticipate Claims 7, 13, or 14. The dependent claims that depend directly or 
indirectly on one or more of these claims are allowable for at least these reasons as well. 
Accordingly, Applicant respectfully requests reconsideration and allowance of Claims 1, 7, 
13, 14, and their respective dependent claims. 
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Section 103 Rejections 

The Examiner rejects Claims 6 and 19 under 35 U.S.C. § 103(a) as being unpatentable 
over Hile in view of U.S. Patent No. 6,078,924 issued to Ainsbury et al. ("Ainsbury"). 
Claims 6 and 19 each depend on a claim that is allowable for at least the reasons stated 
above, and Claims 6 and 19 are therefore allowable for at least those reasons as well. 
Accordingly, Applicant respectfully requests reconsideration and allowance of Claims 6 and 
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Conclusions 



Applicant has made an earnest attempt to place this case in condition for allowance. 
For the foregoing reasons, and for other reasons clearly apparent, Applicant respectfully 
requests full allowance of all pending Claims. If the Examiner feels that a telephone 
conference or an interview would advance prosecution of this Application in any manner, the 
undersigned attorney for Applicant stands ready to conduct such a conference at the 
convenience of the Examiner. 

No fees are believed to be due, however, the Commissioner is hereby authorized to 
charge any fees or credit any overpayments to Deposit Account No. 02-0384 of Baker Botts 
L.L.P. 



Respectfully submitted, 



BAKER BOTTS L.L.P. 




2001 Ross Avenue, Suite 600 
Dallas, Texas 75201-2980 
(214)953-6447 
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